Measuring and Managing Information Risk: A FAIR Approach
By Jack Freund and Jack Jones
4.5/5
()
About this ebook
Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.
- Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization.
- Carefully balances theory with practical applicability and relevant stories of successful implementation.
- Includes examples from a wide variety of businesses and situations presented in an accessible writing style.
Jack Freund
Dr. Jack Freund is a leading voice in cyber risk measurement and management. As VP, Head of Cyber Risk Methodology for BitSight, Jack has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Jack was Director of Risk Science at quantitative risk management startup RiskLens and Director of Cyber Risk for TIAA. Jack holds a Ph.D. in Information Systems from Nova Southeastern University, a Masters in Telecommunication and Project Management, and a BS in CIS. Jack has been named a Senior Member of the IEEE and ACM, a Fellow of the IAPP and FAIR Institute, and a Distinguished Fellow of the ISSA. He is the 2020 recipient of the (ISC)2 Global Achievement Award, 2018 recipient of ISACA’s John W. Lainhart IV Common Body of Knowledge Award, and the FAIR Institute’s 2018 FAIR Champion Award.
Related to Measuring and Managing Information Risk
Related ebooks
Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook Rating: 5 out of 5 stars5/5Build a Security Culture Rating: 0 out of 5 stars0 ratings7 Rules to Influence Behaviour and Win at Cyber Security Awareness Rating: 5 out of 5 stars5/5FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsInformation Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5Security Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5Building a Practical Information Security Program Rating: 5 out of 5 stars5/5Information Risk Management: A practitioner's guide Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5Fundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5The Basics of IT Audit: Purposes, Processes, and Practical Information Rating: 4 out of 5 stars4/5Total Information Risk Management: Maximizing the Value of Data and Information Assets Rating: 0 out of 5 stars0 ratingsISO 27001 Annex A Controls in Plain English: A Step-by-Step Handbook for Information Security Practitioners in Small Businesses Rating: 0 out of 5 stars0 ratingsBusiness Continuity and Disaster Recovery for InfoSec Managers Rating: 5 out of 5 stars5/5CRISC A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCISSP A Complete Guide - 2020 Edition Rating: 5 out of 5 stars5/5Security Controls Evaluation, Testing, and Assessment Handbook Rating: 5 out of 5 stars5/5Building Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5NIST Cybersecurity Framework: A pocket guide Rating: 0 out of 5 stars0 ratingsCISM Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsBusiness Continuity Exercises: Quick Exercises to Validate Your Plan Rating: 0 out of 5 stars0 ratingsCRISC A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCybersecurity ABCs: Delivering awareness, behaviours and culture change Rating: 0 out of 5 stars0 ratingsCISSP For Dummies Rating: 4 out of 5 stars4/5
Security For You
Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMake Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsHacking For Dummies Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Handbook of Digital Forensics and Investigation Rating: 4 out of 5 stars4/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5Cybersecurity All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsDark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsPractical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5
Reviews for Measuring and Managing Information Risk
6 ratings1 review
- Rating: 5 out of 5 stars5/5Brilliant book, I have got a deep down understanding of measurement and management of Information risks
Book preview
Measuring and Managing Information Risk - Jack Freund
Measuring and Managing Information Risk
A FAIR Approach
Jack Freund
Jack Jones
Table of Contents
Cover image
Title page
Copyright
Acknowledgments by Jack Jones
About the Authors
Preface by Jack Jones
Preface by Jack Freund
Chapter 1. Introduction
How much risk?
The bald tire
Assumptions
Terminology
The bald tire metaphor
Risk analysis vs risk assessment
Evaluating risk analysis methods
Risk analysis limitations
Warning—learning how to think about risk just may change your professional life
Using this book
Chapter 2. Basic Risk Concepts
Possibility versus probability
Prediction
Subjectivity versus objectivity
Precision versus accuracy
Chapter 3. The FAIR Risk Ontology
Decomposing risk
Loss event frequency
Threat event frequency
Contact frequency
Probability of action
Vulnerability
Threat capability
Difficulty
Loss magnitude
Primary loss magnitude
Secondary risk
Secondary loss event frequency
Secondary loss magnitude
Ontological flexibility
Chapter 4. FAIR Terminology
Risk terminology
Threat
Threat community
Threat profiling
Vulnerability event
Primary and secondary stakeholders
Loss flow
Forms of loss
Chapter 5. Measurement
Measurement as reduction in uncertainty
Measurement as expressions of uncertainty
But we don’t have enough data…and neither does anyone else
Calibration
Equivalent bet test
Chapter 6. Analysis Process
The tools necessary to apply the FAIR risk model
How to apply the FAIR risk model
Process flow
Scenario building
The analysis scope
Expert estimation and PERT
Monte Carlo engine
Levels of abstraction
Chapter 7. Interpreting Results
What do these numbers mean? (How to interpret FAIR results)
Understanding the results table
Vulnerability
Percentiles
Understanding the histogram
Understanding the scatter plot
Qualitative scales
Heatmaps
Splitting heatmaps
Splitting by organization
Splitting by loss type
Special risk conditions
Unstable conditions
Fragile conditions
Troubleshooting results
Chapter 8. Risk Analysis Examples
Overview
Inappropriate access privileges
Privileged insider/snooping/confidentiality
Privileged insider/malicious/confidentiality
Cyber criminal/malicious/confidentiality
Unencrypted internal network traffic
Privileged insider/confidentiality
Nonprivileged insider/malicious
Cyber criminal/malicious
Website denial of service
Analysis
Basic attacker/availability
Chapter 9. Thinking about Risk Scenarios Using FAIR
The boyfriend
Security vulnerabilities
Web application risk
Contractors
Production data in test environments
Password security
Basic Risk Analysis
Project prioritization
Smart compliance
Going into business
Chapter summary
Chapter 10. Common Mistakes
Mistake categories
Checking results
Scoping
Data
Variable confusion
Mistaking TEF for LEF
Mistaking response loss for productivity loss
Confusing secondary loss with primary loss
Confusing reputation damage with Competitive Advantage loss
Vulnerability analysis
Chapter 11. Controls
Overview
High-level control categories
Asset-level controls
Variance controls
Decision-making controls
Control wrap up
Chapter 12. Risk Management
Common questions
What we mean by risk management
Decisions, decisions
Solution selection
A systems view of risk management
Chapter 13. Information Security Metrics
Current state of affairs
Metric value proposition
Beginning with the end in mind
Missed opportunities
Chapter 14. Implementing Risk Management
Overview
A FAIR-based risk management maturity model
Governance, risks, and compliance
Risk frameworks
Root cause analysis
Third-party risk
Ethics
In closing
Index
Copyright
Acquiring Editor: Brian Romer
Editorial Project Manager: Keira Bunn
Project Manager: Poulouse Joseph
Designer: Matthew Limbert
Butterworth-Heinemann is an imprint of Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK
225 Wyman Street, Waltham, MA 02451, USA
Copyright © 2015 Elsevier Inc. All rights reserved
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher
Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333; email: permissions@elsevier.com. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application submitted
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN: 978-0-12-420231-3
For information on all Butterworth-Heinemann publications visit our web site at http://store.elsevier.com/
This book has been manufactured using Print on Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate.
Acknowledgments by Jack Jones
Something like FAIR doesn’t come about in a vacuum, and there are a lot of people who deserve my deepest gratitude for the role they played in its development. Sometimes their role was subtle and unintentional; perhaps an offhand comment that spurred deeper thinking or a twist in thinking that unlocked some conceptual obstacle I faced. In other cases the role was explicit and obvious; perhaps as a sounding board, support in the face of skeptics, or mentoring me through political mine fields that litter the information security and risk management landscape. Regardless, the following list (in alphabetical order except for the last two entries) inevitably is incomplete and I beg the forgiveness of anyone who feels I have left them out.
• Dr. Henry Beker—whose deep wisdom and strong support have been so crucial to the ongoing success of FAIR and CXOWARE. It is a true privilege to know someone like Henry, let alone have the opportunity to work with him.
• The team at CXOWARE—how lucky can one person get, to be surrounded by such great energy, intelligence, and skill. These people seem able to work magic, both in building a business and taking my sometimes half-baked ideas and turning them into truly remarkable software.
• Jack Freund—whose mental quickness may be unmatched in my experience. Jack has been a dear friend, great colleague, and outstanding partner in writing this book. In fact, without his gentle persistence this book likely would not exist.
• Mike Keller and Susan Gueli—two amazing people, both of whom I had the privilege of working for during my tenure as CISO at Nationwide. It is entirely accurate to say that without their support my career would have been quite different and far less successful than it has been. I am deeply indebted to both of them.
• Cindi Hart—who was my right hand (and very often my saving grace) in each of my CISO roles. I hold no other professional in higher regard, and her friendship has been a true blessing.
• Kirk Herath—whose support and friendship has been so important over the years. You will not encounter a more courageous professional, or anyone more expert in the field of privacy.
• Jim Hietala and Ian Dobson—whose support for FAIR within the Open Group has been so critical over the years. These gentlemen define the word class,
and it has been a privilege to work with them.
• Douglas Hubbard—perhaps unmatched as a risk guru, Douglas’ books and insights continue to stoke my internal flame for trying to get this right.
• My team and colleagues at Huntington Bank—as with Nationwide, there simply are too many amazing people to list. Here again, my success was largely due to them, and I am deeply grateful for their support and hard work.
• Alex Hutton—great friend, tireless sounding board, and truly remarkable risk professional. It was his hard work in the early years that kept FAIR alive long beyond what would have happened if I had been trying to do it alone.
• Ryan Jones—whose exceptional work developing and providing FAIR training was responsible for keeping CXOWARE afloat in the early days. His unique combination of creativity, critical thinking, work ethic and pragmatism make him a privilege to work with.
• Marty Miracle—another great friend, deep thinker, and brilliant risk professional. Few people have provided more honest feedback, and fewer yet can match the quality of Marty’s analyses.
• Brooke Paul—great advocate and amazing businessman. Brooke’s business advice in the early days, though not always followed by me, was always spot-on.
• My team and colleagues at Nationwide Insurance—any success I realized while at Nationwide was largely a function of the amazing team of professionals around me. There are simply too many to list here, but in my mind and heart they all stand out.
• Eddie Schwartz—easily one of the sharpest minds I have ever encountered. Despite this, he seemed to believe there was something worthwhile in me and mentored me in many ways. I learned an awful lot from Eddie, and am truly grateful for his friendship, guidance, and the opportunities he gave me.
• Steve Tabacek—dear friend and phenomenal business partner. I can’t imagine a harder working more ethical person, and FAIR would have certainly died on the vine without his tireless support and exceptional business acumen.
• Chad Weinman—another great friend and outstanding colleague. I’ve never worked with anyone so completely dedicated to the customer. This combined with Chad’s energy and positive attitude continue to be critical to CXOWARE’s success.
• I am also deeply indebted to all of the early adopters who found value in FAIR and advocated for it even in the face of criticism. These are the people who had the guts to advocate for something that sometimes ran counter to conventional wisdom. Without their timely support I would have likely given up somewhere along the path.
• Last and most important: my wife Jill, son Ryan, and daughter Kristen. They are my inspiration, my heroes, and my reason for being. Their support has meant everything to me. With them I am truly blessed.
About the Authors
Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. Jack has been conducting quantitative information risk modeling since 2007. He currently leads a team of risk analysts at TIAA-CREF. Jack has over 16 years of experience in IT and technology working and consulting for organizations such as Nationwide Insurance, CVS/Caremark, Lucent Technologies, Sony Ericsson, AEP, Wendy’s International, and The State of Ohio.
He holds a BS in CIS, Masters in telecommunication and project management, a PhD in information systems, and the CISSP, CISA, CISM, CRISC, CIPP, and PMP certifications. Jack is a visiting professor at DeVry University and a senior member of the ISSA, IEEE, and ACM. Jack chairs a CRISC subcommittee for ISACA and has participated as a member of the Open Group’s risk analyst certification committee. Jack’s writings have appeared in the ISSA Journal, Bell Labs Technical Journal, Columbus CEO magazine, and he currently writes a risk column for @ISACA. You can follow all Jack’s work and writings at riskdr.com.
Jack Jones, CISM, CISA, CRISC, CISSP, has been employed in technology for the past 30 years, and has specialized in information security and risk management for 24 years. During this time, he has worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Jack has over 9 years of experience as a CISO with three different companies, with five of those years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference.
In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 he was honored with the CSO Compass award for leadership in risk management. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework. Currently, Jack is cofounder and president of CXOWARE, Inc.
Preface by Jack Jones
Two questions and two lame answers. Those were the catalyst in 2001 for developing FAIR. At the time, I was the newly minted CISO for Nationwide Insurance, and I was presenting my proposed security strategy to senior executives in hopes of getting additional funding. One of the executives listened politely to what I had to say, and asked two simple
questions:
1. How much risk do we have?
2. How much less risk will we have if we spend the millions of dollars you’re asking for?
If he had asked me to talk more about the vulnerabilities
¹ we had or the threats we faced, I could have talked all day. Unfortunately (or, I guess, fortunately), he didn’t. He wanted to understand what he was going to get in return for his money. To his first question, I answered, Lots.
To his second question, Less.
Both of my answers were accompanied by a shrug of my shoulders—tacit admission that I didn’t have a leg to stand on (he knew when he asked the questions that I wouldn’t have a useful answer). The good news was that I got most of the money I was asking for, apparently out of blind faith. The even better news was that I left the meeting determined to find a defensible answer to those questions.
When I began working on FAIR, I had absolutely no idea that an international standards consortium like The Open Group would adopt it as a standard, that people would be building software to implement it, or that organizations would pay to have their people trained in it. Nor had the idea of a book crossed my mind. It also never crossed my mind that what I was developing could be used to evaluate other forms of risk beyond information security. All I wanted was to never have to shrug my shoulders and mutter lame responses to those questions again. This, I have accomplished.
What this book is not, and what it is
If you are looking for a book that spoon-feeds you answers to the daily questions and challenges you encounter as an information security professional, you’ve come to the wrong place. This book doesn’t provide much in the way of checklists. You will likewise be disappointed if you’re looking for a book based on deep academic research, complete with references to scores of scholarly resources. There are only a handful of references to other works, very few of which would probably qualify as scholarly
in nature. If you’re looking for highly sophisticated math and formulas that make the average person’s eyes roll back in their heads—my apologies again. FAIR simply is not that complicated.
First and foremost, this is a book about critical thinking. And if you get nothing else out of it, I hope it helps you to think critically and perhaps differently about risk and risk management. It represents the current state of my exploration into risk and risk management, and how it’s being applied today. And as with many explorations, the path has been anything but simple and straight. The experience has been like trying to unravel a tangled ball of twine. You pull on a thread for a while, thinking you are on the right track, only to realize you created a nasty knot that you have to pick apart—and then start over. Some of those knots were due to my own logical failures or limited background. Other times, too many times, the knots existed in large part due to risk-related fallacies I had (and the industry still has) bought into for years. You will find in here that I take square aim at a number of sacred risk management cows, which is certain to have me labeled a heretic by some folks. I’m more than comfortable with that. This book attempts to lay out before you the current state of this twine, which is now much less tangled. There are still strings to pull though, and knots to unravel, and there always will be. Maybe you will take what you read here and do some pulling and unraveling of your own. And if you find and unravel knots that I inadvertently created, so much the better.
A snippet from a T.S. Eliot poem does a great job of capturing my experience with FAIR:
… and the end of all our exploring will be to arrive where we started and know the place for the first time.
T.S. Eliot
That pretty much nails it. My exploration may not be over but there is no question that I know risk and risk management far better than if I hadn’t bothered to explore. I hope you’ll feel the same way after you’ve read this book.
Cheers,
Jack Jones
March 2014
¹ You will see later in the book why I put the word vulnerabilities
in quotes.
Preface by Jack Freund
While writing this book, Jack Jones and I had a conversation about some of the difficulties faced by those in this profession, and especially those who are interested in bringing quantitative methods into common practice. During this discussion I did what I always do when I’m full of myself and waxing eloquent: I use Socratic Method to help summarize and build analogies to help illustrate key points. I have one friend who called me The Great Distiller
(with tongue firmly planted in cheek). Jack liked the point I made, and suggested that I write about it here to help frame the book and the work being done on FAIR. Essentially, the point I made went something like this.
What is one of the first things that a new leader in IT risk and security needs to do? Well, there are a lot of tasks to be sure: building relationships, hiring staff, diagnosing problem areas, and building out new and/or enhanced processes. This list could be written about most leadership jobs in any profession. However one task that will show up on that list is something like identify risk assessment methodology.
How unique that is to our profession! Think about that for a minute: you could have a fully implemented risk function that is rating issues and risk scenarios everyday. Yet, when a new leader joins your organization, they may wipe all of that away because they disagree with the method being used. And this may be for reasons as simple as it’s unfamiliar to them, they prefer another method more, or a little from column A and a little from column B.
I was discussing this with someone who runs a chemistry lab. She has a PhD in organic chemistry, runs a peptide laboratory, and who modestly refers to herself simply as a chemist.
I asked her if this is a routine practice in chemistry. Does one of the early tasks of a new lab manager involve choosing the method of chemical interaction they are going to use? Do they define their own approach and methodology for handling volatile chemicals?
Certainly not,
she replied. Once it is determined the type of chemistry they are going to be doing (organic, inorganic, nuclear, etc.), they will need to supply the lab with the materials necessary to do their job. She said there are five basic chemicals she uses in her peptide lab and once those are selected, it is a matter of outfitting the lab with the correct safety devices and handling precautions (fume hoods, storage containers, etc.). Do any of these tasks involve explaining to your staff your view on how these chemicals interact? Do you have to have conversations to get their minds right on how to do chemistry?
I asked. She told me this is not the case (although we had a good chuckle over those that still insist on pipetting by mouth). There are well-known principles that govern how these chemicals work and interact. In areas where there is dispute or cutting-edge work, those involved in its practice use the scientific method to gain a better understanding of what truth
looks like and present their work for peer review.
We may never get to the equivalent of a periodic table of risk, but we need to try. We need to set stakes in the ground on what truth looks like, and begin to use scientific method to engage each other on those areas where we disagree. I genuinely want to get better at the practice of IT risk, and I know that Jack Jones does too. It is for this reason that FAIR has been publicly reviewed and vetted for several years now and why Jack Jones placed the basic FAIR taxonomy discussed in chapter 3 in the hands of a neutral standards body (The Open Group). By all means, let us have an open dialogue about what works and what does not. But let us also use impartial, unbiased evidence to make these decisions.
I wrote this book to accomplish several things. First, it is a great honor to be able to author a book with one’s mentor. It is an even bigger honor to help your mentor write a book about their life’s work. That really is significant to me, but it is also a weighty responsibility. I learned FAIR from Jack early on in the part of my career where I was beginning to do Governance, Risk, and Compliance (GRC) work in earnest. By that time, I had been studying, training in, and writing about various methods of risk assessment and it was becoming clear to me that what passed for a method was more process than calculation. Indeed, if you compare most major risk assessment methods, they all bear a striking resemblance: you should consider your assets, threats to them, vulnerabilities, and the strength of the controls. Somehow (although rarely ever explicitly identified), you should relate them to one another. The end result is some risk rankings and there you go. Except that is the problem: no one tells you how to do this exactly, and often times you are encouraged to make up your own solution, as if we all know the right way to go about doing that.
What I learned from Jack was simple and straightforward. The relationship between the variables was well reasoned and well designed. It was easy to understand and explain. It also included some sophisticated math, yet was still easy for me to use (I always scored higher on verbal than math sections on any standardized test). I have often been accused of knowing only a single method for assessing risk (a statement that is wildly inaccurate). I know many methods for assessing risk, yet only one that seeks to calculate and analyze risk in a defensible way. Knowing how to do that gives you a sense of composure, and perhaps even some bravado. You do not shy away from difficult or hard problems because you have learned how to model these scenarios even when you do not have the best data available. This can be off-putting to some people. But you will come back to the FAIR taxonomy and calculation method over and over again. It is like learning the quadratic formula after years of solving quadratic equations using factoring. Why go back to something that is harder to do and takes longer to complete? I will tease Jack often by saying that he has ruined me
for other types of risk analysis methods. He takes my good-natured ribbing well. What I mean is that he has showed me the right way to do it, and it is difficult for me to go back to other approaches since their flaws have been laid bare before me. So to that end, yes I only know one (good) method for practicing risk and I have been thoroughly ruined for all the other (not as good) methods for doing risk assessments. And for that I thank you Jack Jones.
The second major reason I decided to write this book is because I believe we are on the precipice of something really amazing in our profession. IT risk is really starting to become its own distinct function that is slowly separating from Information Security proper while simultaneously becoming more intertwined with it. In my role as an educator, I often have discussions with students who are looking to break into the risk and security profession I often tell them that these jobs are really IT specialties and what they really need is to gain some experience in a reference discipline; they need a strong foundation in networking or application development as an example. Only after a few years of work in these roles will they be able to provide useful security work to a future employer. This used to be the way that people entered the security function. Often it was only after many years of work administering servers or working on network routing tables that you were given the chance to be a security practitioner full time. The industry is changing now, and more and more I find that there are paths into risk and security that do not involve even a moderate level of knowledge of something else first.
This is not necessarily bad, however it has some implications. Since we can no longer depend on someone having a solid skillset to draw upon, they may not know a lot about the environments they are now charged with assessing. Second, if they were trained with specific security knowledge that often means that they missed some of the foundational elements that are a part of a core liberal arts education (critical thinking and scientific method as an example). It is also important to learn how to be more autodidactic (a word I learned while being an autodidact).
This book is written in part to help fill out the knowledge gap that a lot of people have when faced with a job that is primarily risk-based. I often draw a diagram for people, which I think adequately reflects the real nature of the skills necessary for working in this job (Figure P.1):
FIGURE P.1 IT risk job skills.
By and large, most of the job is talking to people. You have to learn how to perform technical interviews of IT people and business process reviews with business people. You have to learn how to talk with the person running backups on mainframes, as well as to be able to present risk information to the board of directors. Do not forget the importance of being able to write: risk communication also includes the ability to write e-mails and reports. Essentially, you have to develop a skillset that includes general soft skills and some specialized techniques. This book will aid with some of this.
Good risk practitioners also have technical knowledge. Most of this is not covered here. Like my (aging) advice to college kids, find some way to gain that knowledge either by education or practice. This is probably the easiest of the three to get better at, given the proliferation of free and near-free training available today.
Lastly are the risk skills necessary for success. Addressing this is a big reason we wrote this book. We will go over the definitions for risk variables, how to apply them, how to gather data, taxonomies, ontologies, range estimation, Monte Carlo method, metrics, and reporting. But do not be thrown off by this: our approach is to focus on applied techniques and methods necessary to do the job of an IT risk practitioner today. This is not a book that is heavy with theoretical and complex notions of risk and mathematics. There are many other great books out there that cover this written by authors far more qualified to discuss the topic than we are. My focus in the practice of risk has been on its practical application. It is an irony not lost on me: the guy with the PhD ends up constantly complaining about being practical to those around him. However beautiful and elegant the theory may be, I personally find practical application to be a much better indicator of reality. That and I like to get my hands dirty. To this end, I have always found motivation in this quote from Albert Einstein:
Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius—and a lot of courage—to move in the opposite direction.
I do not want risk to be complicated. It should be no more complicated than it needs to be, and I have been on record for a long time that I do not believe the people charged with running the businesses and organizations where you work are incapable of understanding IT risk (when properly explained). It is easy to make it complicated; it takes dedicated practice to make it easy.
That brings me to the third and final reason that I wanted to write this book. In my family, it is generally understood that I do something with computers.
And although I imagine many in the various and sundry nooks and crannies of the practice of Information Technology have similar experiences, I have always wanted to be able to find a better (simpler) way to describe the work that I and we as a profession do everyday to the layperson. This explanation I have sought alongside the rapidly changing profession that we labor in daily. As I have outlined above, it is changed enough that it is no longer sufficient to simply say Information Security is our job. The well informed will find it obtuse (what kind of InfoSec do you do?) and the IT civilian still will not know what you are talking about really. Over the years, I have practiced with certain words and phrases to help make it clearer; I tend to use some tactile examples such as how I protect people’s bank and retirement accounts from hackers (but even that really is not precisely true). However, given the proliferation of these kinds of attacks and their growing impact, there is usually something in my descriptions that is sufficient to satisfy the cursory inquiry of most. However, I have found that some of those closest to me are routinely curious enough such that they deserve a more complete and full answer as to what exactly I do at work everyday (and most evenings); Mom, this is for you.
Jack Freund, PhD
March 2014
Chapter 1
Introduction
Abstract
This chapter makes the case for the need for quantitative risk management. It begins with the Bald Tire thought experiment to help make the case for a need to articulate assumptions, discuss terminology, and makes plain the factors of risk that we care about modeling and how to communicate them effectively to management. This section also discusses the difference between risk assessment and risk analysis, and details the deficiencies in current approaches that treat the two the same. Lastly, the chapter spells out the progression of topics for the remainder of the book and offers some words of advice on how thinking about risk will impact your ability to make better decisions in all aspects of your life.
Keywords
Analysis; Assessment; Assumptions; Bald tire; Risk; Threat; Vulnerability
How much risk do we have?
How much risk is associated with…?
How much less (or more) risk will we have if…?
Which of our risk management options are likely to be most cost-effective?
What benefit are we getting for our current risk management expenditures?
These are the core questions that FAIR (Factor Analysis of Information Risk) is intended to help us answer. But how is FAIR any different than what the profession has been doing for years? That’s what this chapter is about—describing the reasons why being FAIR
about risk is different and, in many ways, better.
How much risk?
Pick a risk issue. Doesn’t matter what the issue is. It could be an information security issue like cloud computing,
a business issue like entering a new market, or a personal issue like buying a used car. Now, if someone asked you how much loss exposure (risk) is associated with that issue, can you answer him or her? Let us rephrase that. Can you answer them and stand behind your answer? With a straight face? If you are using FAIR effectively, you can.
The reason you can rationally answer questions like these using FAIR is because it provides a well-reasoned and logical evaluation framework made up of the following elements:
• An ontology of the factors that make up risk and their relationships to one another. This ontology provides a foundational understanding of risk, without which we could not reasonably do the rest. It also provides a set of standard definitions for our terms.
• Methods for measuring the factors that drive risk
• A computational engine that derives risk by mathematically simulating the relationships between the measured factors
• A scenario modeling construct that allows us to apply the ontology, measurements, and computational engine to build and analyze risk scenarios of virtually any size or complexity
TALKING ABOUT RISK
How complicated is FAIR? Not very. The concepts and ontology are quite straightforward, and measuring the variables can often be downright simple. Unfortunately, the world in which we have to apply FAIR (or any other analysis framework) is often very complex, and that is where we face the learning curve in analyzing risk. What FAIR does is simplify the problem by providing a relatively noncomplex lens through which to view and evaluate the complex risk landscape.
The bald tire
Those of you who have had some exposure to FAIR in the past might expect this section to be old news.
Well, yes and no. Although you may already know how it turns out, some of the discussion and terms have evolved. As a result, it is probably worth your time to read it. If you have never of heard of FAIR or the Bald Tire, then know that this is a thought experiment to help us uncover some of the challenges with the current state of risk analysis.
The bullets below describe a risk scenario in four simple stages. As you proceed through each of the stages, ask yourself how much risk is associated with what’s being described:
1. Picture in your mind a bald car tire. Imagine that it is so bald you can hardly tell that it ever had tread. How much risk is there?
2. Next, imagine that the bald tire is tied to a rope hanging from a tree branch. Now how much risk is there?
3. Next, imagine that the rope is frayed about halfway through, just below where it’s tied to the tree branch. How much risk is there?
4. Finally, imagine that the tire swing is suspended over an 80-foot cliff—with sharp rocks below. How much risk is there?
Now, identify the following components within the scenario. What was the:
• Threat,
• Vulnerability, and
• Risk?
Most people believe the risk is high
at the last stage of the scenario. The answer, however, is that there is very little risk given the scenario exactly as described. Who cares if an empty, old bald tire falls to the rocks below? But, but…what about the person using the tire swing?! Ah, what person? We never mentioned any person.
Assumptions
Was our question about the amount of risk unfair? Perhaps, and we’ve heard the protests before…But what if someone climbs on the swing?
and, The tire’s purpose is to be swung on, so of course we assumed that somebody would eventually climb on it!
Both are reasonable arguments. Our point is that it is easy to make assumptions in risk analysis. In fact, assumptions are unavoidable because the world is infinitely complex.
That is our first point—assumptions are unavoidable. Assumptions are also the most likely source of problems within most analyses because, too often, people do not examine their assumptions or even recognize when they are making them. They just shoot from the hip. That scenario is high risk!
they’ll say. Unfortunately, the person next to them may be making a different set of assumptions and react with, Are you nuts? Clearly that scenario is low risk!
Most of the time, the disagreement is based on different assumptions.
One of the significant advantages to using FAIR is that its ontology and analysis process help you to identify and clarify your assumptions. That way, when someone questions your results, you are in a position to explain the assumptions underlying the analysis.
Terminology
Our second point is that from any group going through the Bald Tire scenario, we will typically get several different descriptions of what constitutes the threat, vulnerability, and risk within the scenario. We’ve heard the frayed rope described as threat, vulnerability, and risk. We have also heard the cliff and rocks described as threat and risk.
The simple fact is that much of the risk profession (including the operational risk discipline) has not adopted standard definitions for these terms. Compare this to other professions. Physicists do not confuse terms like mass, weight, and velocity, and financial professionals do not confuse debit and credit—even in informal discussions—because to do so significantly increases the opportunity for confusion and misunderstanding. It also makes it tough to normalize data. This is important to keep in mind when we’re trying to communicate to those outside our profession—particularly to executives who are very familiar with the fundamental concepts of risk—where the misuse of terms and concepts can damage our credibility as professionals and reduce the effectiveness of our message. After all, our goal is not to create a secret risk language that only we can talk about—effectively isolating ourselves from other risk professionals.
TALKING ABOUT RISK
Go to your local bookstore or library and pick up two different books on risk by two different authors. There is a very good chance that you will find that they have used foundational terminology differently from one another. For that matter, there’s a decent chance that each author uses fundamental risk terminology inconsistently within his or her own book.
So, what are the threat, vulnerability, and risk components within the Bald Tire scenario? The definitions themselves are described in Chapter 3, but within this scenario:
• The threat is the earth and the force of gravity that it applies to the tire and rope.
• The frayed rope introduces some amount of vulnerability, but is NOT a vulnerability itself. Huh? Vulnerability (in FAIR) is a probability statement. In other words, it is the probability that a threat event (e.g., the force of gravity on the tire and rope) will become a loss event (e.g., the rope breaks). In FAIR, we use the term vulnerability in a way that answers the question, How vulnerable are we?
In answer to that question, a FAIR practitioner may answer something like, between 30 and 45%.
Simply stated, the rope represents a control, and its frayed condition simply increases the probability of a loss event. If this still doesn’t entirely make sense to you, it will later as we get into the framework in more detail.
• What about risk? Which part of the scenario represents risk? Well, the fact is, there isn’t a single component within the scenario that we can point to and say, Here is the risk.
Risk is not a thing. We can’t see it, touch it, or measure it directly. Similar to speed, which is derived from distance divided by time, risk is a derived value that represents loss exposure. It’s derived from the combination of factors described in FAIR’s ontology.
Having made an issue of terminology, the following paragraphs introduce and briefly discuss some basic definitions.
Threat
A reasonable definition for threat is anything (e.g., object, substance, human, etc.) that is capable of acting in a manner that can result in harm. A tornado is a threat, as is someone driving a car, as is a hacker. The key consideration is that threats are the actors (a.k.a., agents
) that can cause a loss event to occur. This is in contrast to some common usage, where conditions may be referred to as threats. For example, someone might refer to a puddle of water on the floor as a threat,
when in fact it is not. It is passive, inanimate, and not an actor in any meaningful way. A person stepping on it is the threat actor. The water simply increases the probability that the threat action (stepping on the wet floor) results in a loss event (a slip and fall accident).
Vulnerability
Although the word vulnerability
is commonly referred to as a weakness that may be exploited by a threat,
that isn’t how we view things in FAIR. Similar to the term risk, vulnerability is considered a value rather than a thing. As a result, you can’t point to something and say, Here is a vulnerability!
What you can do is point to a control (like a frayed rope) and declare, Here is a condition that increases our vulnerability.
It may feel like a fine point, but trust us, it is a critical distinction. The relevance of this distinction will become clearer as you progress through this book.
Risk
The following definition applies regardless of whether you are talking about investment risk, market risk, credit risk, information risk, or any of the other common risk domains:
Risk—The probable frequency and probable magnitude of future loss.
In other words—how often losses are likely to happen, and how much loss is likely to result. Rest assured, we’ll get into much more detail on this in Chapter 3.
The bald tire metaphor
In large part, risk management today (particularly operational risk management) is practiced as an art rather than a science. What is the difference? Science begins by analyzing the nature of the subject—forming a definition and determining the scope of the problem. Once this is accomplished, you can begin to form and then substantiate (or not) theories and hypotheses. The resulting deeper understanding provides the means to explain and more effectively manage the subject.
Art, on the other hand, does not operate within a clearly defined framework or definition. Consequently, it isn’t possible to consistently explain or calculate based upon an artistic approach. In fact, it doesn’t even seek to explain. It just is.
A useful example is shamanism. The shaman rolls his bones or confers with his gods.
He then prescribes a remedy based upon what his ancestors have passed down to him (analogous to best practices
). Now, some shamans may be extremely intuitive and sensitive to the conditions within a scenario and may be able to select a reasonable solution on most occasions. Nevertheless, the shaman can’t rationally explain his analysis, nor can he credibly explain why the cure works (or sometimes doesn’t work). In addition, while we would like to believe that best practices are generally effective (as we strive to reuse what we think has been successful in the past), this can be a dangerous assumption. Best practices are often based on long-held shamanistic solutions, tend to be one-size-fits-all, may evolve more slowly than the conditions in which they are used, and can too often be used as a crutch—e.g., I can’t explain why, so I’ll just point to the fact that everyone else is doing it this way.
There is, however, no question that intuition and experience are essential components of how we do our jobs. The same is true for any profession. Yet these alone do not provide much traction in the face of critical examination, and are not strong formulas for consistency.
In order for the risk management profession to evolve, we have to begin to approach our problem space more rigorously and scientifically (note that we did not say purely scientifically
). This means we have to seek to understand why and how, we have to measure in a meaningful way, and we have to be able to explain things consistently and rationally.
Risk analysis vs risk assessment
Many people don’t differentiate assessment
from analysis,
but there is an important difference. From a FAIR perspective, risk analysis is often a subcomponent of the larger risk assessment process.
The broader risk assessment process typically includes:
• Identification of the issues that contribute to risk,
• Analyzing their significance (this is one place where FAIR fits in),
• Identifying options for dealing with the risk issue,
• Determining which option is likely to be the best fit (another opportunity to apply FAIR), and
• Communicating results and recommendations to decision-makers.
As you can see, analysis
is about evaluating significance and/or enabling the comparison of options. Unfortunately, much of what you see today in risk management is assessment without meaningful (or accurate) analysis. The result is poorly informed prioritization and cost-ineffective decisions.
Bottom line—The purpose of any risk analysis is to provide a decision-maker with the best possible information about loss exposure and their options for dealing with it.
Evaluating risk analysis methods
FAIR is just one approach to risk analysis. There are many people working to develop other methods with the same goals in mind. This is terrific news to those of us who are trying to be as effective as possible in managing risk. However, regardless of the methods you consider using, we encourage you to evaluate any risk analysis method on at least three points:
1. Is it useful?
2. Is it practical?
3. Are the results defensible?
A methodology is useful when the results are accurate and meaningful to decision-makers. If an analysis method provides results that are expressed in qualitative or ordinal scales, then meaningfulness must be questioned. Why? Well, what does a risk score of 3.5 mean? We suppose it’s better than a risk score of 4.1 (assuming one is good and five is bad), but ultimately, how do you compare that kind of value statement, or something like medium,
against the other more quantitative considerations (like revenue projections or expenses) that inevitably play a role in decisions? As for accuracy, a precise ordinal rating like 3.5 or 4.1 is just begging to be picked apart because it implies a level of precision that is unrealistic in risk analysis. Why 3.5 and not 3.6 or 3.7? Or, if the risk rating is qualitative (e.g., medium
), then accuracy is often a matter of what assumptions were being made and how rigorous the thinking was that underlies the analysis (typically not very rigorous).
Now, some decision-makers find qualitative or ordinal results acceptable. That’s fine. Fine, that is, until you have to defend those risk statements when you are asking for significant funding or telling them that their pet project can’t proceed because it has high risk.
(Good luck, by the way, defending 3.5 or high
to a strong critical thinker.) In our experience, the underpinnings of those kinds of risk values are arrived at through very little rigor, through questionable methods, or both. The executives might not push back, but don’t count on it.
Practicality is a crucial matter. It does little good to apply rocket science when all you really need to do is cross the street. Don’t get us wrong, though. You can go deep into the weeds with FAIR if you want or need to. However, you don’t have to. The same should be true for any practical risk analysis approach—i.e., you should be able to apply it quick-and-dirty if need be, or go deep.
There are risk analysis
methods in use today whose logic falls apart under close examination. Often, these methods call themselves risk analysis when what they are really analyzing is a subcomponent of risk (e.g., control conditions). Keep in mind, however, that these methods may be excellent at what they actually do, so don’t disregard their value. It’s simply a matter of recognizing what they do and do not provide. A simple way of identifying a bona fide risk analysis method is to determine whether it includes an analysis of threat frequency, vulnerability, and loss magnitude, and whether it treats the problem probabilistically. If one or more of these components is missing, or if the problem is not treated from a probabilistic perspective, then it likely can’t be defended as a true risk analysis method.
Let’s look at an example risk analysis
against this three-point litmus test:
Risk issue: Absence of segregation of duties for system administrators.
Asset at risk: Corporate financial data that supports financial reporting (a SOX concern for publicly traded companies in the United States)
Risk rating: High risk. The assessing individual felt that it was possible for system administrators to manipulate data feeding the financial reporting process, which would require restatement of finances. This could result in significant penalties and reputational damage.
My, that does sound scary.
In this case, executives are presented with a situation they may only superficially understand (i.e., they may understand the concept of segregation of duties, but they couldn’t explain it in this technology context). They do know that they do not want to be